Cyberthieves Train Their Sights on US Mobile Phone Customers

By David Jones
Aug 29, 2017 12:08 PM PT

A relatively new form of cybercrime recently has been plaguing American consumers. Thieves have been hijacking mobile phone account numbers and then transferring services to a different device, The New York Times reported last week.

Further, hackers have begun using mobile numbers to raid digital wallets and similar accounts, according to the paper.

This type of theft has been successful even against the most sophisticated of consumers. Accounts belonging to the chief technologist of the Federal Trade Commission, Lorrie Cranor, are among those that reportedly have been breached.

A simple identity theft scam targeted two of her phones, Cranor wrote in an online post earlier this year, resulting in her eventually losing control of her devices and her account information, not to mention the intrusion into her personal life and loss of privacy.

Identity thieves simply walked into a store, claimed to be her, and asked for a mobile phone upgrade. They walked out with two new iPhones assigned to her number. The SIM cards on her account were deactivated.

The FTC declined to comment on whether it was pursuing an investigation related to the incident.

Cyberthefts involving a mobile phone account hijacking or opening of a new mobile account in a victim's name have jumped from 1,038 reported to the FTC in January of 2013, or 3.2 of all identity thefts reported to the commission in that month, to 2,638 in January 2016, or 6.3 percent.

Because only about 1 percent of identity thefts are reported to the FTC, regulators have only a small slice of examples to evaluate when trying to get ahead of data scams.

Vulnerable Systems

The incidents that have been reported showcase a vulnerability in today's security protocols, said Mark Nunnikhoven, senior vice president for cloud research at Trend Micro.

A lot of multifactor identifications systems use text messages as a tool to verify identity, because the goal of many attacks is to take control over the phone number and not the physical handset, he told the E-Commerce Times.

"These attacks use social engineering techniques to abuse a mobile phone provider's business processes," Nunnikhoven said. "The attacker calls up the mobile phone provider and uses just enough information about you, plus a few social engineering techniques, to get the provider to transfer the number to new accounts."

It's a lot easier to have a legit number ported than it is to hack an entire phone network, he noted.

However, hacking numbers has been a feature of SS7 attacks in the past, Nunnikhoven recalled. The System Signaling 7 system, which is used by mobile phone networks to communicate with each other, is vulnerable to a type of hack that transfers phone and text messages to another device. An SS7 attack was demonstrated in the U.S. most famously in a 2016 60 Minutes segment.

Adding layers of security to authenticate a legitimate customer creates additional problems for mobile phone companies that have to deal with millions of calls and need to create an efficient workflow while making sure customer data is secure, Nunnikhoven pointed out.

"Every mitigation that you can use to avoid this kind of account hijacking makes that customer service workflow more difficult," he said, which is "exactly what the carrier is trying to avoid."

Easy Come, Easy Go

Password resets are only as secure as the destination of the reset, said Kevin Epstein, vice president of the threat operations center at Proofpoint.

"Persuading phone companies to transfer numbers to a new device is like [filing] a mail forwarding order with the post office and then asking for a credit card company to mail a new PIN to a cardholder's address," he told the E-Commerce Times.

US Security Lagging

Cybertheft of mobile phone numbers "is a U.S. problem to the best of my knowledge," said Sean Sullivan, security advisor at F-Secure.

"European and certainly Finnish operators have stronger controls in place to prevent transferring accounts to new SIMs," he told the E-Commerce Times.

"So why hijack the phone number? The point of hijacking the phone number is because it guards the Gmail account, for example," Sullivan said.

"The Gmail account is used to provide access to financial accounts. So, you gain control of the phone number, you go to Gmail and use the 'I forgot my password' and Google sends a code to your phone number that is used in the password reset process. And then the thief can use the Gmail account to reset bank passwords, etc. And services such as PayPal may use SMS messages as a second factor of authentication," he explained.

"Basically, in order to protect what were originally Web-based services, companies extended security to phones -- using them as a second factor. So, the phone is now a target," Sullivan remarked.

Two measures that Sullivan takes to protect his accounts:

"I have email addresses for Google / Windows / Apple accounts that are used only for administrating my accounts. The associated email addresses are not used in connection with my online services.

"I try to avoid providing my phone number to my online services. I use an authenticator app for MFA/2FA . Hijacking my phone number will not provide access to my authenticator app."

"So, what to do?" Sullivan asked.

"U.S. operators need to improve security controls -- thieves have reportedly been successful in getting numbers transferred by repeatedly calling customer support, until they reached an agent willing to make the change even without all the proper information," he noted.

Further, "online services should do more to encourage and provide options for authenticator apps -- and to move away from phone/SMS-based solutions," Sullivan recommended, "at least for tech-savvy customers with something more to lose."

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.